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Abstract 

We present an efficient quantum algorithm for estimating Gauss sums over finite fields and finite rings. 
This is a natural problem as the description of a Gauss sum can be done without reference to a black 
box function. With a reduction from the discrete logarithm problem to Gauss sum estimation we also 
give evidence that this problem is hard for classical algorithms. The workings of the quantum algorithm 
rely on the interaction between the additive characters of the Fourier transform and the multiplicative 
characters of the Gauss sum. 

1 Introduction 

Let X : i? — > C be a multiplicative character and e : i? ^ C an additive character over a finite ring R. 
The Gauss sum G of this triplet (i?, x,e) is the inner product between x ^-iid e, that is: G{R,Xie) '■= 
X^aiefl Gauss sums are useful on many fronts for the analysis of finite fields R = Fpr and rings 
R — "L/nL. In combination with the closely related Jacobi sums, they have been used to prove theorems 
about Diophantine equations, difference sets, primality testing, et cetera. One can view Gauss sums as the 
finite versions of the gamma function r(s) := J^^ x'^^^e^^dx. See Brendt et al. for a book entirely devoted 
to these topics. 

The theory of quantum computation investigates if the laws of quantum physics allow us to process 
information in a more efficient way than is possible by the classical, Turing machine model of computation. 
Strong support for the claim that quantum computers are indeed more powerful than classical ones was given 
in 1994 by Peter Shor who proved the existence of efficient quantum algorithms for factoring and the discrete 
logarithm problem |]l2j . More recently, Hallgren showed that also Pell's equation can be solved in polynomial 
time on a quantum computer . The common ingredient of these (and other) quantum algorithms is the 
use of quantum Fourier transform to extract the periodicity of an unknown function in time logarithmic in 
the size of the domain. See the book by Nielsen and Chuang for a thorough introduction to this field pT| |. 

In this article we describe a quantum algorithm that, given the specification of the characters x ^'^d 
e, efficiently approximates the corresponding Gauss sum, for R a finite field Fpr or a 'modn' ring IjnL. 
Because determining the norm \G\ of a Gauss sum is relatively straightforward, our algorithm focuses on 
estimating the angle 7 mod 27r in the equation G =\G\-^'^ . We describe a quantum transform that induces 
this angle as a relative phase by a mapping |0) + |1) 1-^ |0) + e''*'|l). Because this transformation can be 
implemented efficiently, we can sample the output state O(^) times to get an estimation 7 of the angle 7 
with expected error e. The time complexity of this algorithm is 0(i • polylog|i?|). Using a reduction from 
the discrete log problem to the approximation of Gauss sums, we provide evidence that this is a hard task 
on a classical computer. A discussion on the merits of Gauss sum estimation is included at the end of the 
article. 

Section ^ gives the definitions and known results that we will use for the estimation of Gauss sums over 
finite fields. The basic quantum procedures that we use for our algorithm are defined in Section |3[ the 
algorithm itself is described in Section ^. Next, we discuss the possibility of estimating Gauss sums with 
classical algorithms. The relationship between this problem and the discrete logarithm problem, Galois 
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automorphisms and random walks is explained in Section ^. Section 1^ gives some background that is 
necessary to define the Gauss sum problem for finite rings. A quantum algorithm for this problem is given 
in Section |^. The final Section ^ discusses the connection between the presented algorithm for Gauss sum 
estimation and other quantum algorithms. Also the relative hardness of the problem with respect to other 
known problems is addressed. Throughout the article, results that are already known are indicated as 'facts'. 

2 Gauss Sums over Finite Fields 

2.1 Definitions and Notation: Gauss Sums over Finite Fields 

Let denote the pth root of unity: := e^'^^^P. The trace of an element x of the finite field Fpr over 

Fp is Tr(a;) := Sj=o -^^^^ ^^^^ shown that for every x € Fp^, its trace is an element of the base-field: 
Tr(a;) € Fp. For any (3 G Fpr we also have the related functions x i-^ Tt{(3x). These trace functions are all the 
linear functions Fpr — > Fp (note that /3 = gives the trivial function 0). When we write cj'^''^'' we interpret 
the value Tr(a;) as an element of the set {0, 1, ... .p — 1} C Z. For /3 e Fpr, the functions e^(x) := (J^''^^^ 
describe all possible additive characters Fp^ C. 

Let g be a primitive element of Fpr, i.e. the multiplicative group (g) generated by g equals F*r. For each 

< a < p'' — 2, the function xi9'') '■— Cpr_i (complemented with x(0) :— 0) is a multiplicative character 
Fpr —^ C. Also, every multiplicative character can be written as such a function. For a non-zero x e F*,-, 
the discrete logarithm with respect to g is defined by logg{g^) '■— j modp'' — 1. Hence, every multiplicative 

character can be expressed by x{^) ■— Cp^~i for x ^ and '■— 0. The trivial multiplicative 

character is denoted by and is defined by x*'(0) = and x"(-^) = 1 ^or all x ^ 0. Using the equality 
Cp'-'°i'''^''Cp'--^''^^^ = Cp" ^ 1 it is easy to see that the pointwise multiplication between two characters 
establishes the isomorphism Fpr ~ '^/{v'' — 1)Z. 

Definition 1 (Gauss sums over Finite Fields) For the finite field Fpr, the multiplicative character x, 
and the additive character ep, we define the Gauss sum G by 

G(Fpr,x,/3) := x{x)C^^^l (1) 

xe¥„r 



Example 1 Let x : F5 ^ {0, 1, — 1, i, — i} be the multiplicative character defined by: x(0) — 0; — 1; 

X(2) = i, x(3) = -i anrfx(4) = -1. We see i/ia< G(F5, x, 1) = C5+iC|-iC|-C| = i\/lO + 2^5(1- V5-2i) = 

^.g2^i.0.338..._ 

Obviously, G(Fpr, x°, 0) = p'' - 1, G(Fpr, x", 7^ 0) = -1, and G(Fpr, x, 0) = for x 7^ X°- In general, for 
/3 7^ we have the following fact. 

Fact 1 For (3:^0 it holds that G{¥p.,x,f3S) = x(/3"^)G(Fpr, x, (5). 

Proof: For G(Fpr, x, we have J^xew^r- x{x)Cp'^'^^''^ = xiP~^)T,ze¥pr xiz)Cp'''^''\ where we used the 
substitution x <— zf]"^ and the multiplicativity of x- ■ 
From now on we will assume that the Gauss sum concerns a nontrivial character x and /3 7^ 0. The 
inverse of a character x is defined by x~^{x) ■— x{x) for all a; 7^ and x~^(0) •= (where z is the complex 
conjugate of z). It is known that the norm of a Gauss sum obeys |G(Fpr, x, /3)| — \fW and more specifically 
G(Fpr , X, /3)G(Fpr , x-\ /?) = X(-1)P'-. 

2.2 The Approximate Gauss Sum Problem 

If we want to define the problem of estimating Gauss sums as a computational task, we have to make clear 
what the length of the input is. As stated above, any multiplicative character x '■ Fpr — > C can be described 
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by a triplet {p^,g,a), where g S F*r is a generator of F*,. and a £ Fpr the index of x- As a result, the 
specification of the problem "What is G(Fpr, ;)(;, /3)?" as defined below, requires no more than 0(r logp) bits 
of information. 

Definition 2 (Gauss Sum Problem for Finite Fields) Let Fpr be a finite field, x o, nontrivial character 
over ¥pr and (3 G F*^ . What is ( approximately) the angle 7 mod 2it in the Gauss sum equation G(Fpr = 
• e''^ ? 

A quadratic character is a nontrivial x such that x{^) G {0,1,-1} for all x. By the isomorphism F*r ~ 
X/ijf — 1)Z one sees that such a character is only possible if p is odd and where x is defined by x(ff"' ) = 
(— I)-'. Unlike the case of general characters, the Gauss sums of such quadratic characters are known 
completely: G(Fpr,x,l) = -{-If^ if p 1 mod 4, and G(Fpr,x,l) = -{-iY^ if p = 3 mod 4. (See 
Theorem 11.5.4 in ll for a proof.) 



3 Quantum Computing 

In this section we give a brief overview of the known results on quantum computation that are relevant for 
the rest of this article. For more information, we refer the reader to [p^] . 

3.1 Efficient Quantum Procedures 

Fact 2 (Quantum Phase Estimation) Let 7 be an unknown phase mod27r of the qubit state \x^) := 
-^(|0)+e''''|l)). If we measure this qubit in the orthogonal basis jm^) :— -^(|0)+e"^|l)) and \m^) :— --i=(|0) — 

e"^|l)), then the respective outcome probabilities are P'roh{m^\xj) — + ^ cos(7 — (f>) and Prob(m0|a;^) ~ 
^ — ^ cos(7 — (p). Hence, if we can sample t copies of \x-y) (with various different angles <j>), then we can 
obtain an estimate 7 of the unknown 7 within an expected error of 0{j). 

Shor's famous article ||l^ implies the following result. 

Fact 3 (Efficient Quantum Algorithm for the Discrete Logarithm) There exists a quantum algo- 
rithm that, given a base g G (Z/nZ)* and an element x — g^ mod n, determines the discrete logarithm 
logg(a;) := J in time polylog(n). 

Fact 4 (Efficient Quantum Fourier Transform) Let j3 E ¥*r . The quantum Fourier transform over 
the finite field Fpr , which is defined as the unitary mapping 

^ 4= E C^^'^'^iy) (2) 

for every x G Fpr , can be implemented efficiently on a quantum computer. Similarly, we can also perform 
the Fourier transform over the group 'Ljnlj in an efficient way. 

Sometimes we use the hat notation in : \ip) 1— > [ip) to denote the Fourier transform of a state. 

3.2 Quantum State Preparation 

For every function / : ^ C, we define the state 



I/) ^=^E/(-^)l^) with the £2 norm II/II2 := (3) 
We also allow ourselves to use the shorthand \S) :— ^ ^xes\^)^ '^'-"^ ^"^^ 



In this article we are mostly concerned with the preparation of states \x) that refer to a multiplicative 
character x • ^ ^ C, which is zero for those values that are not in the multiplicative subgroup R* and that 
are powers of for the elements that are in R* . 
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Fact 5 (Phase Kickback Trick [^) // the computation \x) \x)\f{x)) with f{x) G TLjnL can he 'per- 
formed efficiently, then the phase changing transformation \x) i— > Ci{^|a;) can be performed exactly and coher- 
ently in time polylog(n) as well. 

Proof: First, create the state := \x) ® X^j'^o Cnb)i by applying the Fourier transform over 

[Ij/nl) to the rightmost part of the initial state Next, consider the evolution that is established by 

subtracting f{x) mod n to that same rightmost register: 



n — 1 1 n — 1 

\^)®n^ll^n\^) ^ \x)®-y,Ci\j~f{x)) = Cf}^^\x)®^Y.^n\k), (4) 

where we used the substitution j <— + f{x) and the additivity C,n^^''^'' — Cn'^' • Cn- Clearly, the overall 
phase change of this transformation is the one desired. ■ 
The phase kickback trick enables us to induce the character values xi^) phases in a quantum state. 
For those x that have xi^) = we will use the amplitude amplification process of Grover's search algorithm 
to change the amplitudes of the states \x). 

Fact 6 (Quantum Amplitude Amplification) Let f : S {0, 1} be function of which we know the total 
'weight' \\f\\i "^xes fi^) ' "■'^^ specific positions for which f{x) — 1. The corresponding state \f) 
can be efficiently and exactly prepared on a quantum computer with 0(-\/|S'|/||/||i) queries to the function 
/• 

Proof: See the standard literature ((|, H, for example). ■ 
The Facts ^ and ^ show that it is easy to create the state \x) ^p^^i J^xefp^ x{x)\x) with a constant 
number of queries to the function x- Furthermore, we know that x, specified by the triplet {p^,g,a), is 

defined by x(a;) = Cp'-'-i" ^ for ^ ^ ^p'' a-nd x(0) = 0. Using Shor's discrete logarithm algorithm (Fact |^), 
we can calculate this discrete log, from which it follows that given {p'^,g,a), we can create the state |x) 
efficiently in the following way. 

Lemma 1 (Efficient x state preparation) For a finite field Fpv and {p'^,g,a) the specification of a mul- 
tiplicative character x, the state 

\x) -r4=j E (5) 

and its Fourier transform |x) can be created in polylogfp^ ) time steps on a quantum computer. 

Proof: First, use the amplitude amplification process on the set ¥pr and the Fourier transform over 
Z/(p'" — 1)Z to create the initial state 

|F;.)|i) - \ E N> E Ci^'-ii^-)- (6) 

VP \P - -L) xe¥;^ i=o 

Next, in superposition over all x E F*,. states, calculate the discrete logarithm values \ogg{x) and subtract 
Q!log^(a::) mod {p^ — 1) to the state in the rightmost register. By the phase kickback trick of Fact |5| we thus 
obtain the desired state: 

|F»|i> ^ E C-i^^'V>|i) = |x)|i). (7) 

Given this construction, we can also create its Fourier transform |x) by using the quantum Fourier transform 
on Ix). ■ 
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4 Estimating Gauss Sums over Finite Fields 



With the ingredients of the last two sections, we are now ready to describe the quantum algorithm that 
estimates the angle 7 of the Gauss sum G = \G\-e^'^ over finite fields. The crucial part of our algorithm relies 
on the interaction between the Fourier transform Tfj and the multiplicative character x- Using the fact that 
for nontrivial characters x — G{¥pT P) / y/W ' X^ we are able to perform a 7-phase change. By sampling 
this unknown phase factor we can obtain an arbitrary precise estimation of 7 and thus of G'(Fpr, x, /?)• 

Algorithm 1 Consider a finite field Fpr, a nontrivial character x and a /3 G F*r. If we apply the quantum 
Fourier transform {Tp) over this field to the state |x), followed by a phase change \y) 1— s- x^{y)\y), then we 
generate an overall phase change according to 



IX) := ^4=T E ^(-)l-) ^ ^^^5#^IX>. (8) 



G(Fp.,x,/?) 

X\x)\x) I > 

Proof: First, we note that the output after the Fourier transform Tp looks like 



Ix) ^=^— V I V 1 \y)- (9) 



The expression between the big parentheses equals G'(Fpr, x, (iy), which equals xiu ^)G(Fpr, x, /3) for y 7^ 
and is zero if y = 0. In sum, we thus see that 



Vp"(p" - 1) yew,^ 



(10) 



such that indeed after \y) ^ X^{y)\y) we have created the eigenstate |x^ ° x) = ^^~^^lx)- ■ 
With the above algorithm we are now able to efficiently estimate the angle 7 in the equation G(Fpr ,XiP) = 

Theorem 1 (Quantum Algorithm for Gauss Sum Estimation over Fpr) For any e > Q, there exists 
a quantum algorithm that estimates the phase 7 in G{¥pr , x, P) = \JW '6'''', with expected error E[|7 — 7I] < e. 
The time complexity of this algorithm is bounded by 0{j ■ polylog(p'')). 

Proof: By the earlier algorithm, we know that we can induce the phase change |x) >— > e''''|x) in polylog(p'') 
time. If we do this in superposition with a 'stale' component 0, then we have produced the relative phase 
shift + Ix)) '-^ Tf^l*^^ +6'^|x))- As described in Fact |[ we can estimate this phase by measuring the 

states along the axis \m^) := :^(|0) + e"^|x)) for different 0. After 0{j) of such observations, the estimate 
7 of the true 7 will have expected error £[[7 — 7I] < e. ■ 



4.1 Estimation of Jacobi Sums over Finite Fields 

Closely related to Gauss sums are the Jacobi sums, which play an especially important role in primality 
testing [||. 

Definition 3 (Jacobi Sums over Finite Fields) For a finite field Fpi- and two multiplicative characters 
X and ip, the Jacobi sum J(x,ip) is defined by 

Clearly, J(x, V") — Ji4'jchi). With x" the trivial character and t/j a nontrivial character we have 
J{X°,X°) = P'' - 2, J(V', -i/;"!) = -^(-I), and J(x°,^) = -I- (Note that we use the convention x°(0) = 
for the primitive character, not x°(0) = 1-) The other, less trivial, cases have the following connection with 
Gauss sums, which is proven in Section 2 of 
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Fact 7 For x o.'^^d ip be nontrivial multiplicative characters over ¥pr^ with x'P nontrivial as well, it holds 
that J(x,V') = G(Fp.,x,l)G(Fp.,^,l)/G(Fp.,xi^,l). As a result, J(x» = e'^ • 

Corollary 1 (Quantum Algorithm for Jacobi Sum Estimation) Using the Gauss sum estimation al- 
gorithm of Theorem ^ there exists a quantum algorithm that estimates the angle X mod 2tt in J{x, ip) = 
e''^ • \/p^ with expected error e with time complexity 0(i • polylog(p'^)). 

5 The Classical Complexity of Approximating Gauss Sums 

The obvious next question now is: How difficult it is to estimate Gauss sums with classical computers? 
Although we are not able to prove that this is hard, we can give the following reduction, which indicates 
that a classical polynomial time algorithm is unlikely. 

5.1 Reducing the Discrete Log Problem to Gauss Sum Estimation 

Lemma 2 (Reduction from Discrete Log to Gauss Sum Estimation) Let Wpi- be a finite field with 
primitive element g, '■— Cp-^-i o, multiplicative character and x an element of¥*r. With an oracle 

that e -approximates the angle 7 of the Gauss sum G(Fpr , /3) for arbitrary (3, we can efficiently determine, 
classically, the discrete \ogg{x). 

Proof: With x = g^, we try to determine this < £ < p'^ — 2. For k = 1,2,3, .. . we observe, using 
Lemma that: G(Fp., x, a;'=)/G(Fp., x, 1) = x(ff"''0 = ^-~2^ike/(p--i). ^j^jg ^^^gjg _ -2M/{p'- - 1). 
Using the 'powering algorithm' {x ^ x^ ^ x^ ■ ■ ■ et cetera) we can calculate x^ for any < fc < p*" — 2 
in polylog(p'') time, hence we can use our oracle to £-approximate 7^ for any such k. Via the equality 
— ^{p^~l) = k£ mod {p^ — 1) this will give us information on the value of £ mod (p'' — 1) depending on 
k. By estimating 7^ for k — 1, 2, 4, 8, . . . , w p^ , we can thus get a reliable estimation of all log(p'') bits of £, 
thereby calculating the desired value \ogg{x) = £. ■ 

5.2 Galois Automorphisms and Other Homomorphisms of Q{CpT_i,Cpr) 

The previous lemma shows that it is not trivial to estimate the Gauss sum G(Fpr,x,/3) even if we already 
know the value G(Fpr, x, !)• A similar result seems to hold for the estimation of G(Fpr, x", /?) while having 
information on G(Fpr, x, (3). 

As noted earlier, G(Fpr,x,/3) is an element of QiCp^-iXp)- Compare now the two expressions for 

G(Fp.,x,/3) and G(Fp., x", /?), respectively E £0' C^-iCj'^''''^ and E £0' Cp.'^iCp^''^''''^- This shows that 
under the homomorphism : QlCp-'-i^Cp) ^ QiCp^-iXp), with cr^ : Cp--i Cp^-i, we have ■ 
G(Fpr,x,/3) G(Fpr, x", /3). (If gcd(a,p''' — 1) = 1 then this mapping is a Galois automorphism cTq G 
Gal(Q(Cpr_i, Cp)/Q(Cp))- If gcd(a,p'' — 1) 7^ 1 then the mapping CTq is not necessarily bijective, and hence 
not an automorphism.) 

This result suggests that knowledge about the Gauss sum G(Fpr, x, /3) is sufficient to efficiently determine 
G(Fpr,x",/?) for all other a. However, it should be noted that the degree [Q(Cp'--i) Cp) ■ Q(Cp)] equals 
(l){p^ — 1), which is exponential in the input size log(p''). As a result, the ctq mapping concerns an exponential 
number of coefficients, and is hence not efficient. 

5.3 Gauss Sums as Pseudorandom Walks in C 

Let the finite field be a base field Fp. For every x ^ 0, the terms x(2;)e/3(a;) in the summation E^ x{^)^p{^) 
are unit norm vectors in C that together describe a walk in C (of p — 1 steps) from to the final outcome 
G(¥p,x, P)- Viewed like this, an obvious classical attempt to approximate G consists of trying to estimate 
the 'average direction' of the terms x{^)^fi{^) by sampling a small number of x values. It should also be 
obvious that this method will not work for random samples that are not polynomial in p. As the final 
destination G is only away from the origin, a significant average direction can only be obtained with a 
sample size that is polynomial in p. 
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Figure 1: Illustration of the pseudorandom walks described in Example g. The walk R on the left is defined 
by the equation R{t) J2l=o x{t)e{t), while the walk R' on the right obeys R'(t) := X;*Io x(7*)e(7*). 

In fact, the just described walk shares many of the properties that a truly random walk in C would 
have. Not only does the final distance coincide with the expected distance norm of a random walk, but 
also the sequence of steps exhibits the nonregularity of a random process. It is easy to verify that the 
autocorrelation of the sequence x(l)e(l), x(2)e(2), .. . is near-zero: E[x(j)e(j)xO' + s)e(j + s)] = ~'p'Li^ 
for s ^ 0. These pseudorandom characteristics do not change when we indexing of the summation (and 
hence of the sequence) to x(l)e(l), x(3)6(ff), x(ff^)e(5^): ■ ■ • with g a generator of F* , as this sequence obeys 

E[x(5"')6(3"')x(3"'^*)6(5"'^*)] = ~^T^- following example for an illustration of this pseudorandom 

behavior. 

Example 2 Consider the Gauss sum for the finite field F241, with multiplicative generator 7, and the char- 
acter defined by x(7^') := (240- Calculations show that G(F24i,X, 1) = ■ e2'^'0-6772... _6.85 + 13.9i. 
Figure || shows the two pseudorandom walks that are defined by the sequences x(l)e(l), x(2)e(2), . . . (left) 
andx(7°)e(70),x(7i)e(7i),... (right). 



6 Gauss Sums over Finite Rings 

Although the final quantum algorithm for estimating Gauss sums over rings Z/nZ is not much more com- 
plicated than the finite field algorithm, the theory surrounding it is somewhat more elaborate. A large 
part of this section concerns the proper description of a multiplicative character over Z/nZ and its various 
properties. These details are necessary to get a valid definition for the input size of the Gauss sum problem 
over Z/nZ (see Definition |^) . 

6.1 Definitions and Notation: Dirichlet Characters 

Again, the nth root of unity is denoted by Cn '■— e^'^'^^". From Section 1.4 we copy the following facts. 
Consider the multiplicative subgroup (Z/nZ)* with the prime decomposition n — p^^ ■ ■ ■p'f^ ■ Following the 
Chinese remainder theorem we have (Z/nZ)* ~ (Z/pJ^^Z)* x • • • x (Z/p]^.''Z)* , such that |(Z/nZ)*| = 4>{n), 
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with (j) Euler's toticnt function. Furthermore we have 

' {i/p'-iy ~ z/(p-i)p^-izifp>3, 

(Z/2Z)* ~ Z/Z ~ {0}, 

(Z/4Z)* ~ Z/2Z, ^ > 

^ {Z/T"L)* ~ Z/2Z X Z/2'-2z if r > 3, 

hence {li/nL)* is cychc if and only if n = 2,4,p'' or 2p'', with p an odd prime. 

Definition 4 (Dirichlet Characters) function x '■ Z/nZ — > C is a Dirichlet character if for all x,y E 

Tj/nli we have x(a;)x(y) — x{xy) and xi^) — ^ if and only i/gcd(n, a;) 7^ 1. 

Using the muhiphcative decomposition {'L/n'L)* = {'L/p\^'L)* x ••• x (Z/pJ^'^Z)*, we see that all Dirichlet 
characters x ■ (Z/nZ) C can be decomposed as x ~ Xi ' ' ' Xk with Xi ■ i'^/Pi''^) ^ C for every 1 < i < k, 
and thus x{^) '■= Xii^ mod p^^) ■ ■ ■ Xk{x mod pi.'')- 

For p an odd prime the character x ■ Z/p' Z C can be described by the expression x(x) := C0(pr)'' j 
where 17 is a generator of the cyclic (Z/p''Z)*, <j>{p^') — p^^^{p — 1) and a £ Z/(/)(p'")Z. For (Z/2Z)* we only 
have the trivial character x'^, while for (Z/4Z) we have two possibilities: x° and with x"(3) = (—1)" and 
X"(l) = 1- If X is a character over (Z/2''Z)* with r > 3, then we have to decompose the character in two 
terms. The group (Z/2''Z)* is generated by 3 and 5 (see [Q), hence the character can be described by the 
pair ia,a') G (Z/2Z) x {Z/2''-'^Z) such that for all i and i' we have x(3'5^' mod 2'') (-l)™C^Ji'2 (while 
x(a;) = if a; is even). 



Definition 5 (Specification of Dirichlet Characters) Let (Z/nZ)* ~ (Z/2''"Z)* x (Z/p^^Z)* x 



X 



(Z/pI^Z)* ~ (Z/2''oZ)* X (Z/0iZ) X • • • X (Z/0fcZ), wi</i cjjj (pj - l)p^.^ (see Equation The 
specification of a Dirichlet character x • Z/nZ —i-Cis done by three sequences (p,g,a), with the prime 
decomposition p — {pi, . . . ,pk) of n, the generators g ~ (gi, . . . ,gk) G (Z/pl'-Z)* x • • • x {Z/p\!'Z)* of the 
multiplicative groups, and a — ((ao, ctg), ai, . . . , a^) £ (Z/2Z x Z/2''~^) x (Z/0iZ) x ••• x (Z/0/cZ) the 
specification of the characters Xj in the definition x(a^) •= Xo(a^ mod 2'"°)xi(a; mod ■ ■ ■ Xfc(2; mod p)!'') 
with 

Xo(3^5*' mod 2'-«) := (-l)"o*^^"^o':^ and xA^,) '-^ C '"""''^^'^ ^3 ^ (Z/P?^)*, (13) 
while Xji^j) '■— */gcd(x,pj) 7^ 1. 

With this definition, we see that the specification of a Dirichlet character x • Z/nZ C requires only 
O(logn) bits of information. Hence, in the context of such characters, an algorithm that requires polylog(n) 
steps is efficient, while a running time polynomial in n is inefficient. 

Lemma 3 (Calculation of Dirichlet Character Values) Let {p, g, a) be the specification of a character 
X '■ Z/nZ C. Given n and {p,g,a), we can induce the phase change \x) t-^ x{^)\^) foi^ any x G {Z/nZ)* 
efficiently with a quantum algorithm. 

Proof: To compute the phase change |a;) 1— > Xj{^ modp^^)|a;) we perform the following two steps (we use 
a similar protocol for the xo part of x)'- 

1. Use Shor's discrete log algorithm (Fact H) to determine the value Sj := log^^. (a; modp^^). 

2. Use the phase kickback trick (Fact ^) to induce the phase change |a;) i— > C'^^^%y 

Perform the phase changes for all Xj to same x state, such that the overall transformation will be: 
|a;) Xo{x)\x) Xa{x)xi{x) i-> • • • Xa{x)xi{x) ■ ■ ■ Xk{x)\x) = x{x)\x). ■ 

Definition 6 (Conductance and Triviality of Dirichlet Characters) A character x is trivial ifx{x) — 
1 for all x G (Z/nZ)*, that is, if a is the zero vector. The conductor c of a character x • Z/nZ C is 
the minimum value c > 1 for which there is a character Xc ■ Z/cZ C such that x — XcX° where x° 
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is the trivial character over Z/nZ. We call x o, primitive character if x has the maximum conductance 
c — n. The trivial character has conductance 1 and is not primitive. The field Z/pZ has p — 2 primitive 
characters, whereas the ring Z/p'"Z with r > 2 has p^^^{p— 1)^ such characters. For Z/2''Z with r > 2 
this means that all characters x'"^'" ^ '""g primitive ('Z/2Z has no primitive characters, and Z/4Z has one). 

For Tj/p^Z, with p and odd prime, a character x(a;) — C'^^pr^'"^'^ has conductance p^^'^ where p^ \ a, while 
p"'^^ I a. As a result x" primitive, if and only if p \ a. In general, a character over the ring Iju'L with 
(Z/nZ)* ~ (li/pY^y X • • • X (Z/p^'°Z)*, and accordingly X = Xi • • -Xk, is primitive if and only if all Xi 
factors are primitive. 

6.2 Definition and Properties of Gauss Sums over Rings Z/nZ 

The definition of Gauss sums over Z/nZ is a natural generalization of the definition for finite fields. 

Definition 7 (Gauss sums over Finite Rings) For the ring Z/nZ, the Dirichlet character x? md the 
additive character ep{x) '.= Cn^ , we define the Gauss sum G by 

G(Z/nZ,x,/?) := J2 ^(^)C^"- (14) 

Note that the Gauss sum terms are the coefhcients of the Fourier transform of the character: G(Z/nZ, x, P) = 
x(/3), with the Fourier transform over the additive group Z/nZ. See Section 1.6 in [Q for the proofs of the 
facts below. 

Fact 8 Let X be a nontrivial Dirichlet character overZ^/nZ. The summation of all x values obeys X)"=o xi-'^) ~ 
0. If X is trivial, then the sum equals 4>{n). 



Fact 9 Let x be a character over the ring (Z/nZ)* ~ (Z/pq°Z)* x • • • x [TLjp^^l})* , such that X = Xo • • 'Xfe 
with Xi 0, multiplicative character over (Z/p['Z)* for every < i < k. With Ji € (Z/p['Z)* the integers 

such that Jin/pl' = 1 mod it holds that G{Z/nZ, x, P) = IliLo G'(Z/p['Z, Xi^ PJi)- (Such Ji always exist 
because gcd{pi,n/p^') = 1, and hence n/p^' G (Z/p['Z)*, for all i.) 

This last lemma shows that we should only be concerned about Gauss sums over rings Z/p''Z, the size of a 
prime power. For trivial characters, such Gauss sums are easily calculated. 

Fact 10 Let x^ ■ Z/p^Z C be the trivial character, and p' \ (3 with p^^^ \ (3, then 

p'~^{p~l) ifi = r, 
G(Z/p'-Z,x°,/3) = { -P'-' tfj=r-l, (15) 

if j < r - 1. 

Nontrivial characters that are not primitive can be reduced to primitive characters over smaller groups in 
the following way. 

Fact 11 Let x ■ Zjp^Z C be a non-primitive character with conductance p^^^ , then the corresponding 
Gauss sum obeys (note that x modulo p^~'^ will be primitive): 

Similar to the finite field case, the (3 index of the additive character can be 'factored out' as X^^iP)- 

Fact 12 Let x be a primitive character over Z/nZ, then x{P) — X~^^{P)x{^)> ^.''^d hence, equivalently, 
G(Z/nZ,x,/3) =X"^(/3)G(Z/nZ,x,l). Also, \G{Z/nZ,xA)\ ^ holds. 
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7 Estimating Gauss Sums over Finite Rings 



Theorem 2 (Quantum Algorithm for Gauss Sum Estimation over Z/nZ) For any e > 0, there ex- 
ists a quantum algorithm that estimates the phase 7 in G{'L/n'L,XT P) — \G{1t/n'L^XT f^)\ ' j with expected 
error £[[7 — 7I] < e. The time complexity of this algorithm is hounded by ■ polylog(n)). Also the norm 
|G(Z/nZ, X, can be determined in polylog(n) time. 

Proof: 

1. Determine the integers Jq, . . . , Jfc as mentioned in Fact ^. 

2. Calculate the Gauss sums G{Z/p^^'Z,Xi, f3Ji) for the trivial characters Xii using Fact |l0[ Continue 
with the reduced product of nontrivial characters. 

3. Re-express the Gauss sums terms for the periodic characters, using Fact ^ Continue with the reduced 
product of primitive characters. 

4. Use Algorithm || to calculate the norms and estimate the phases of the Gauss sums of the remaining 
primitive characters (using the standard phase estimation technique of Fact ^ this requires 0(i • 
polylog(n)) steps). 

Algorithm 2 Let x '■ Z/nZ ^ C be a primitive character and (3 e Z/nZ. The following algorithm calculates 
the norm and estimates the phase 7 in the Gauss sum G(Z/nZ,x, /?) = |G(Z/nZ, x, • e''''. 

1. If /3 ^ (Z/nZ)* then conclude that G(Z/nZ,x,/3) = (see Fact|l|). 

2. Otherwise, use Shor's discrete log algorithm to determine the x{P~^) factor in the equality G{Z/n'L, x, P) = 
x(/3^"'")G(Z/riZ, X, 1) (Fact |l^). Continue with the estimation of 7 in G(Z/nZ, x, 1) = e^^^/n. 

3. Apply the quantum Fourier transform over the ring Zi/nZ to the state |x), followed by a phase 
change \y) 1-^ X^(y)|y) for all y G CZ/nZ)* in the superposition |x) = J2y xiy)\y)- Because for primitive 
characters x(?/) = X~^(?/)x(l) (Fact [T^), this transformation generate an overall phase change according 
to Ix) 6''''|x). Like in Theorem 0, we use this phase change to estimate 7 to the required precision e. 

■ 

It should be noted that for primitive characters over rings Z/p' Z with r > 2 the Gauss sums G(Z/p'"Z, x, 1) 
are known (Section 1.6 in |^]). Hence step 3 of the above algorithm is not always necessary. 

8 Conclusion and Discussion 

The algorithms that we presented in this article rely on the specific interaction between multiplicative 
characters and Fourier transformations, some of which have been described earlier in Q and |9|. Typical for 
these results is the fact they arc defined for finite fields or finite rings but not for groups, which indicates a 
departure from the Hidden Subgroup framework for quantum algorithms [p^ . What is new about the results 
presented here, is that they describe quantum algorithms for a natural problem that does not assume the 
presence of a black box function. The only other natural problems for which an efficient quantum algorithm 
has been constructed are those described by Shor jl^ and Hallgren 1^ , both of which deal with number 
theory as well. 

For the results of this article it remains therefore an important open question if Gauss sum estimation is 
hard classically, even under the assumption that factoring and discrete logarithms are easy. If this is indeed 
the case, another related question remains: Which problems reduce to Gauss sum estimation that do not 
reduce to factoring or the discrete logarithm problems? 
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